Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
27/03/2024, 10:36
General
-
Target
e1759a77b0e691e837303f104c66896b.exe
-
Size
1.9MB
-
MD5
e1759a77b0e691e837303f104c66896b
-
SHA1
a5069270a0e8b1d167e0868cc93afd38a0ce74d2
-
SHA256
a0b19680c9e2e5c4d0d968c267295f5bea30e6063869aedd15fcfff56c6b6b38
-
SHA512
2c734cc863ac8f91ab7860472d18f3e8fd7329d5dd9352530c4245460d8fffcde458f28b1415977418a3b5e3699863f3308dbcc8c3676ae28a7243058e0483b7
-
SSDEEP
49152:ISlNHydXboE+2pKWTvP6p9kB/GS0fsXCFJ:ISjydNCYn0+Q
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 4 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1759a77b0e691e837303f104c66896b.exe"C:\Users\Admin\AppData\Local\Temp\e1759a77b0e691e837303f104c66896b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:38 /f5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:39 /f5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:40 /f5⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5959ef517c54994c6868d2e25db7c71ad
SHA1208ecc065153fce47b77bd87063a0315bd0353a0
SHA2560036e5704e55f8a9263e3c19b383631ad4c04325f8680697b78aa197ed2c6c78
SHA512af83a2d95a086057890ea623a0393816dbe605c7d8927660b8caefbf8dbfd51a6f0cb26ff7c6d0f92633ccf5271a195f26dd4d3b3b9699be800cb9d4cc50446d
-
Filesize
1.4MB
MD59e6f5031a37e5efcd166faed929c59aa
SHA1ea0acb2da09de4671d77e25027546b7331b15830
SHA25699b5a3622572f5d5e84d1621ed55ddc72e29d80cf50cd44cba61fef7f5f42ee3
SHA512d910cd5d863637359c9b71fecdc31ee14434aa44e733d7d568a39225037c42c5347a7b1c85ce00a2c4c40f93f0f296096bb0dc98d262e2a14239f7fa13791c6e
-
Filesize
1.9MB
MD5b0bb01dac8e243dfa1e44cada32a782e
SHA1c3f0f775e41ef7004ca4652d6f3587df52b6b27e
SHA256abcf8d7dc5d67b7d6a1a5f7d6effe8cad720ab37a28376f77664df6524bf4bbb
SHA512245f9873bba817eaa6ec89969714e51ce984d92ffc8e00f53f63578817a90f803fb643a79aee65aa934412cc3f3e1d801634349a150996c9ca73ea92461a1f70
-
Filesize
896KB
MD5543b4f0ec5c2ac3bdf5cc59bb1bcbe20
SHA1f3675841d6910d8ad74d017d581e4a6dd76e1b26
SHA256e9ba65fb6cf657f1fb31ebf52923892f5d708c9e69cba433aee2641b12edf548
SHA5123164ea1f304f9fd299e4713b511edef366ed471f5ad67295ba6489e25f5579a16987868a98c76c3143720bfa616e55712e01abcf6fd6d483efc983d4eea3a36c
-
Filesize
704KB
MD5a8f5f52661d313d11d44778c63947443
SHA191c85b3c78241a467e17308abd2cb11f0ba39d0e
SHA2560c11f2a60546b6cfe01dfe86b85e0abb0667ee4db07712a5e2620a66b6a44d85
SHA51237ecf005b3d5e7a740d62da982dc706ff752e84875ef7c11c63da965be02d8d7ee513fdb7b8209d6c1d89318c865a3e9b6b5c1ccf63dd19b2924d46f03bee355
-
Filesize
726KB
MD582fdce4c55f4f746572cd94e79391772
SHA1fc11454b6c329e655a85e88713c5c565d41c8290
SHA256fbcd1df2e03a7d51f2af94f0f6765eda65a90478b056c950b44065218d012837
SHA5129532d63c7cdaea5664ad8570ed1d8a988da15bccee405b8d15aa60480c91b48276757a42acf2547c0f4081335f8ed3a7103d4830c4b815fcbdade09b1d4204bc
-
Filesize
1.9MB
MD5314189c8add5d2fe9bf806c385b9a895
SHA13a6a93a9988f198c26427fcdbc98ff2adbb9988c
SHA256c271ae6c35406f9b1954bfc69ca4373b7b468abeef960eedc60bdf699f5ccad2
SHA512ed7cea8cb33a3bd321cf2e2c8758adeb92962ac1496b7f8ec62f9cea095c125eb1c488951c748876f6f89ebf94babc2dc5e7c08c91948f8b4bec9126aa451da0
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
8KB
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
960KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
960KB
-
Filesize
1.3MB
-
Filesize
76KB
-
Filesize
4.4MB
-
Filesize
528KB
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
816KB
-
Filesize
960KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
960KB
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
816KB
-
Filesize
1.3MB
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
1.3MB
-
Filesize
816KB
-
Filesize
4KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
960KB
-
Filesize
816KB
-
Filesize
4.4MB
-
Filesize
1.3MB